By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Cloudtrail event notifications

0

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization.

We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty.

Is there any out of box solution or recommended approach?

I am considering two approaches:

  1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient.

  2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/

I favor second approach, but maybe there are some other options. thanks

1 Answer
0
Accepted Answer

Hi, there's a probably a couple ways to achieve this, but here's a common pattern. With Control Tower, it sets up the centralized log bucket, but also configures a Cloudwatch Log Group in each account for local Cloudtrail logs. You can create Metric Filters on that Log Group for specific actions. For instance IAM policy changes or failed logins. Documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html.

That log filter can send the alerts to the Control Tower created SNS topic aws-controltower-SecurityNotifications. This topic forwards the alerts via a Lambda function to a topic in the Audit account. Which then can have subscriptions to email, PagerDuty, etc. Bear in mind that central SNS topic may get a little noisy so it may be a case of creating new topics. You could also subscribe to the SNS topics in each account differently. That would provide some flexibility on who/what gets alerts from specific accounts.

On the deployment side, if you are using cloudformation, and create a template for the metric filters, then the Customizations for Control Tower solution https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/ or Organizations StackSets https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/ can help you deploy the same template to many accounts quickly and easily. Managing the deployment and updates from a central location.

profile pictureAWS
answered 3 years ago
profile picture
EXPERT
reviewed 5 months ago
  • Hi Jimmy, thanks for the suggestions. I was considering to connect it to Cloudwatch Log Group created it each member account for Cloudtrail, however I am more interested in distinct events over metric alerts at the moment, so I would have to use subscription filter instead of metric filter on log group. But the subscription filter does not support SNS topic or Event Bus in same or different account.

    That is why I chosen default Event bus filter on Cloudtrail events in member account and forward to Custom Event Bus which is in Audit Notifications account. Similar template https://gist.github.com/Halama/e5db7ab0cc7b2762ff7f9a28fa1eac84#file-cloudtrail-would be deployed into each member account using Organizations StackSets as you suggested (CT customizations are promising but at the moment seems to much complex).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions